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ICO Consultation: data sharing code of practice 


Company name: 
Direct Marketing Association UK Limited (DMA) 
About the DMA: 


The DMA is the trade body for the data and marketing industry. We represent over 1,000 organisations — 
encompassing brands, agencies and marketing service companies. We produce guidance on the buying and 
selling of data that is widely used by DMA members. We have large data companies in DMA membership, such 
as Experian, Acxiom and CACI. 


Please visit our website www.dma.org.uk for more information about us. 
Introduction: 

The DMA welcomes the opportunity to respond to this consultation issued by the ICO. 
Consultation questions: 


Question 1: We intend to revise the code to address the impact of changes in data protection legislation, 
where these changes are relevant to data sharing. What changes to the data protection legislation do you 
think we should focus on when updating the code? 


The most important change in data protection law was the General Data Protection Regulation (GDPR), which 
was implemented in the UK along with the various derogations via the Data Protection Act 2018 (DPA 18). 
These laws provide the framework for how businesses process personal data, which includes data sharing. 


Questions 2 and 3: Apart from recent changes to data protection legislation, are there other developments 
that are having an impact on your organisation’s data sharing practice that you would like us to address in 
the updated code? 


Yes, the ICO should also take account of industry best practice and advice concerning data sharing. Many 
organisations will be using industry guidance currently and it is important that they receive consistent 
messages. If guidance and advice are confused or in some cases contradictory then organisations will struggle 
to achieve both compliance with the law and conformity to best practice. 


The DMA has created a document, which has been shared with the ICO that defines the uses of third party 
data by marketers and what the legal basis for the processing could be. The document has been created 
working with the UK’s leading third party data companies, such as Experian, Acxiom and the Read Group. The 
data sharing code of practice should make reference to this document and ensure that there is a consistency 
in the advice that marketers receive. 


Direct Marketing Association (UK) Ltd, DMA House, 70 Margaret Street, London W1W 8SS 
t 020 7291 3300 f020 7291 3301 e dma@dma.org.uk w www.dma.org.uk 


The Direct Marketing Association (UK) Ltd is a company limited by Guarantee. Registered in England No. 2667995. Registered office as above 


dma 


Questions 4 and 5: Does the 2011 data sharing code of practice strike the right balance between recognising 
the benefits of sharing personal data and the need to protect it? Please give details. 


Yes. 


The Information Commissioner’s foreword explains that data sharing plays a crucial role in helping businesses 
to provide a more efficient and quality service for their customers. This is especially true from a marketing 
perspective, where data sharing takes place so businesses can gain new insights into their customers. This 
allows for more efficient marketing techniques. If marketers understand more about their customers then 
they can target their messages. 


The code of practice is comprehensive and, therefore, very helpful for the many sectors of the economy 
involved in data sharing of some sort. The revised code of conduct should also acknowledge the valuable role 
that data sharing plays in the UK economy, while at the same time recognising that safeguards need to be put 
in place. 


Question 8: What types of data sharing (eg systematic, routine sharing or exceptional, ad hoc requests) are 
not covered in enough detail in the 2011 code? 


The 2011 code did not have enough marketing related examples. Given that marketing is one of the largest 
data-driven industries, it is important to issue guidance that reflects this. The greater use of marketing case 
studies would give clarity about what marketers are able to do in terms of data sharing. 


The DMA has sent a guidance document to the ICO, which is currently being reviewed, concerning the use of 
third party data for marketing under GDPR. This document includes many examples and would be a useful 
addition to the data sharing code of practice. The new code could reference this document and incorporate 
some of the examples. 


Question 10: Please provide details of any case studies or data sharing scenarios that you would like to see 
included in the updated code? 


The new code of practice should include more case studies and examples relevant to marketing and 
advertising. Marketing departments may share information with other organisations or use the services of 
third party data providers who share data with them. 


For example, marketers want to understand their customers and have a comprehensive picture of how their 
business interacts with a customer. A brand may hold data on its customers but in different databases in 
various parts of the business. At the same time, a consumer could have several ways that they identify 
themselves, current or historic or interact with the brand — and this can include name at an old address, 
several email addresses, aliases or a name with just a digital identity. 


Third party data companies are able to join these different data sources together to form a single customer 
view. Something that all marketers want to achieve. Doing so requires data sharing but means organisations 


can communicate much more effectively with the customer and provide a consistent and relevant customer 
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experience across channels, drawing on the full range of information held about that customer and their 
channel preferences. 


Question 11: Is there anything the 2011 code does not cover that you think it should? Please provide the 
details. 


Section 5 of the code of practice goes through conditions for processing; factors to consider and what legal 
basis an organisation could use to share personal data. Marketers often find legitimate interest an ambiguous 
legal ground. In order to educate businesses, the ICO should expand the legitimate interest section. There 
should be detailed information about the balancing test and how to carry one out. Reference should be made 
to the ICO’s own guidance about carrying out a legitimate interest assessment (LIA). The ICO could include 
examples where legitimate interest is likely to be appropriate subject to a successful LIA. 


For example, the Data Protection Network has a series of examples in their legitimate interest guidance?: 


“Example 28 — PROFILING FOR SOCIAL MEDIA TARGETING As part of a multi-media marketing campaign, a 
furniture retailer wishes to use a social media platform to target advertising to existing customers whilst they 
engage with social media. They also wish to use an algorithm provided by the social media provider to better 
target its advertising to ‘lookalikes’ - i.e. other individuals who have similar characteristics to that business’ 
own customers. The business uploads the minimum required personal data on its customers to enable the 
social media targeting but excludes those who have objected to marketing. Profiling is conducted within the 
social media platform to enable the targeting, however, it is purely for marketing purposes and the business 
has assessed that it does not result in any legal or similarly significant effects upon those individuals.” 


Marketers often share data in order to effectively segment their customers. However, marketers want to build 
as comprehensive a view as possible of these individuals, so they often appoint third parties to provide 
additional information. 


Providers can enrich organisations’ existing data sets with third-party data collected from various sources. 
Using this information, marketers can gain a better understanding of their customers and communicate with 
them more efficiently and effectively. Furthermore, they can improve the personalisation of marketing 
communications. Therefore, the ICO should include a new section related to profiling for marketing purposes 
and how this can be carried out under GDPR. 


The DMA has a number of best practice examples in its GDPR profiling guidance that demonstrated how an 
organisation can tell a customer their personal data will be used for profiling. 


One example is from the BBC. Their privacy policy states: 


“Where we provide personalised services, we may analyse the information you supply, as well as your activity 
on our (and other) services, so that we can offer a more relevant, tailored service. For instance, we could use 
your viewing history on iPlayer to provide personalised recommendations or, if the first thing you look at every 
day on BBC Online is the weather for Luton, we could present this information or a link to it on our homepage. 
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If you are signed-in or subscribed to email newsletters, you will receive a personalised service. If you don’t want 
to receive these services you can unsubscribe from email newsletters, or disable personalisation. Please visit 
Your Account in Using the BBC to find out more.” 


Conclusion 


The DMA would be happy to speak about our consultation response in greater detail and answer any 
questions the ICO may have. 
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